I have searched but couldn't find anyone with the exact same problem as mine.
This is the message I got from HTCDev.com
We're sorry, but it appears your attempt to unlock the bootloader on this device has failed. This could be caused by several factors including simple errors in the entry of the unlock token, problems with your device, or a lack of manufacturer support for the unlocking process. Please see the specific error code listed below, and try again if necessary.
Error Code: 173.
Error Reason: Check Rule Fail with exception.
I have all the requirements (HTC Drivers, adb and fastboot files, JRE) and I am 100% sure I copied the code correctly as I have helped friends unlock their HTC phones before.
Also its definitely not the carrier disallowing me to unlock.
Can anyone help me figure out what's wrong here?
Servers down !?
http://www.isitdownrightnow.com/htcdev.com.html
More info here
Hey,
I've been researching the OP3 bootloader and the bootloader warning and I've found a possible method to hide it.
There is a file "emmc_appsboot.mbn" which contains information and strings (see content below). I'm not sure if modifying the file causes booting problems. I've examined the file and found something about verifying various files and blocking the boot process. I'm looking for someone who could help me and explain things. What do you think? If it's going to brick, would it be unbrickable?
Strings:
"Start >"
"< More options"
"Your device has been unlocker and cann't be trusted"
"To learn more, visit: g.co/placeholder"
"If no key pressed:
Your device will boot in 5 seconds"
Something about blocking the boot:
This phone has been flashed with unauthorized software & is locked. Call your mobile operator for additional support.Please note that repair/return for this issue may have additional cost.
boot_verifier: keystore length is invalid
I'm thinking about replacing all these texts with spaces to make the screen look blank. That's the way to "hide" the text, but there's still going to be the 5 seconds delay.
Download link to the file: http://d-h.st/SQID (Uploading attachments wasn't working when I posted this)
EDIT: Feel free to examine the file with a hex editor. Search for those strings to find the position.
There're already two threads dealing with the bootloader warning:
http://forum.xda-developers.com/oneplus-3/how-to/help-how-to-remove-device-unlocked-t3425028/page7
http://forum.xda-developers.com/oneplus-3/help/request-remove-bootloader-unlocked-t3405485
meiser said:
There're already two threads dealing with the bootloader warning:
http://forum.xda-developers.com/oneplus-3/how-to/help-how-to-remove-device-unlocked-t3425028/page7
http://forum.xda-developers.com/oneplus-3/help/request-remove-bootloader-unlocked-t3405485
Click to expand...
Click to collapse
I know, but neither one is dealing with this exact file/method. There is of course the "logo.bin", but I don't think it includes the warning message as I've found it from the file I discovered.
santeri3700 said:
I know, but neither one is dealing with this exact file/method. There is of course the "logo.bin", but I don't think it includes the warning message as I've found it from the file I discovered.
Click to expand...
Click to collapse
the "warning" message is inside the aboot....at the moment there's no way to modify this file....but....we will see.
lance2010 said:
the "warning" message is inside the aboot....at the moment there's no way to modify this file....but....we will see.
Click to expand...
Click to collapse
Isn't it possible to modify the hex codes? Or is it the verification that is the problem in this case?
Edit: I've seen that people edit this file with success.
santeri3700 said:
Isn't it possible to modify the hex codes? Or is it the verification that is the problem in this case?
Edit: I've seen that people edit this file with success.
Click to expand...
Click to collapse
where did you see it running?
editing is not the problem, flashing it back is not the problem...but the phone won't start, even if you change a single bit !
there's an checksum active even if you set your phone to unlock_critical...
lance2010 said:
where did you see it running?
editing is not the problem, flashing it back is not the problem...but the phone won't start, even if you change a single bit !
there's an checksum active even if you set your phone to unlock_critical...
Click to expand...
Click to collapse
It was a Samsung and a Xiaomi device (partition and bl unlocking stuff, so not exactly related to this). The checksum is what I'm after.
Unfortunately I don't have enough experience and I don't know if it's even possible to do this.
I'm wonder what exactly happens if I edited the code to have only "spaces" or "NBSP".
Would I get any response from the device? Would I see any error codes on the screen?
I'm too unsure to risk my device. But thanks for the answer!
if you not know how to use the OP3 unbrick tool, let it be..in result you got an unbootable device if you change anything inside the bootloader.
It can't be changed.
if you're reading this thread, you're likely tearing out your hair in apt frustration because you're just trying to unlock your bootloader and its a no-go. If you're coming from a One M7 or M8, just be aware that HTC's switched up the game since then. Also, everything mentioned below is indirectly applicable to HTC 10 owners as well.
Writing up this thread as that was me, and I scoured pretty much every link pulled from variations of google keyword searches; and as I was successful in finally unlocking the damn thing, here is my braindump:
[in no particular order], and YMMV, much of this is a compilation of things that saved other people experiencing such errors, every rock unturned is a rock unturned.
There's a new "download mode"---the ol' white backgrounded fastboot that you used to know and love, that's sidelined, you must run fastboot on the black backgrounded Download mode format.
you CANNOT use the standard Google/Android SDK's fastboot. I know, wtf. you MUST use HTC's fastboot (the one they provide on HTCdev.com; note that their's is missing an ADB, you can pluck the ADB portion from the standard Android SDK).
If you are experiencing a fail, I recommend immediately wiping the whole device (reset all data), and then starting anew: from there, be sure to: --get Developer, and check the: allow OEM unlocking + allow USB debugging boxes. also, while you're in settings, might as well: increase the screen off time, put 'no lock screen', allow unknown sources installations, etc. then after all that's set, then try and run the fastboot.
for whatever reason, the Gmail web client might not work happily with your unlock_code.bin that you get sent---and/or you're getting weird HTCdev login errors even though you put in the right password---eff that noise; start anew: create a new account, don't use a Gmail email (I used a live.com email to get the unlock_code.bin that ended up being the golden goose egg). yeah, for reasons unknown, there's some RNGmagic mojo crap going on here, so if you're experiencing errors, there's really nothing to lose by going new routes.
don't use Chrome to go to the HTCdev website; I used Edge (no deliberate Microsoft plug or anything here, fyi)
the HTCdev website won't accept your fastboot paste of oem unlocking info if its not the right number of characters, I tested this, so that's not the problem if you thought it was; I recommend opening up a Notepad and just copying and pasting it there and then double-checking that, and then pasting it onto the HTCdev site.
Dont mean to burst your bubble.. Thats all old news.
Beamed in by telepathy.
Hi!
I am currently working to get my G4 (H815T) unlocked, and although not officially supported by LG, I am looking to reverse engineer the unlock.bin files that one can get through developer.lge.com, also got in touch with Swedish support, whom actually got a so called specialist to try to obtain a file for me, so perhaps there is hope that I will get my hands on one! (prob not going to happen, but the guy is breaking internal rules to try to help me so possible)
Regardless of LG Sweeden, to get started with the reverse engineering project I need a unlock.bin file from a H815 (EU version) anyone on the forum willing to provide one?
jjbredesen said:
Hi!
I am currently working to get my G4 (H815T) unlocked, and although not officially supported by LG, I am looking to reverse engineer the unlock.bin files that one can get through developer.lge.com, also got in touch with Swedish support, whom actually got a so called specialist to try to obtain a file for me, so perhaps there is hope that I will get my hands on one! (prob not going to happen, but the guy is breaking internal rules to try to help me so possible)
Regardless of LG Sweeden, to get started with the reverse engineering project I need a unlock.bin file from a H815 (EU version) anyone on the forum willing to provide one?
Click to expand...
Click to collapse
Ensure that you read the following thread. Completely. Besides many important information you will also find unlock files and why you can't do anything with it:
https://forum.xda-developers.com/g4/help/unlock-technical-steps-to-make-unlocked-t3165391
If you still have interest to do something here let me know. Best is to use IRC. You can find me on freenode in the channel #Carbon-Fusion .
.
Sent from my LG-H815 using XDA Labs
steadfasterX said:
Ensure that you read the following thread. Completely. Besides many important information you will also find unlock files and why you can't do anything with it:
https://forum.xda-developers.com/g4/help/unlock-technical-steps-to-make-unlocked-t3165391
If you still have interest to do something here let me know. Best is to use IRC. You can find me on freenode in the channel #Carbon-Fusion .
.
Sent from my LG-H815 using XDA Labs
Click to expand...
Click to collapse
Ah, I see, was not aware that the community had a go at this...
So after reading the thread my understanding is basically that the unlock.bin is a standard action authorization token. Used in an OEM action authorization protocol.
So the unlock.bin would normally be generated with a action authorization nonce (It takes the form "::<8 bit action id>:<16 client random bytes>" with all fields hex encoded.) It looks like in this case LG has opted to use the Device ID and IMEI instead of the AAN.
The AAN would be signed to a OAK. (Override Authorization Key, basically it is a public key that is set in the device during manufacturing and that is used to validate action authorization tokens. It is stored as the OAK time-based authenticated EFI variable under the Fastboot GUID of 1ac80a82-4f0c-456b-9a99-debeb431fcc1. The content of this variable is the SHA256 sum of the OAK certificate., and as I understand the developers in the thread you linked to have been able to crack it.)
The AAT token (unlock.bin) should then be a PKCS #7 signed document, where the body takes the form "::<8 bit action id>:<16 client random bytes>:<16 auth agent random bytes>" with all fields hex encoded. The auth agent random bytes added when creating the authorization is to prevent an attacker from mounting an attack by supplying known plain-text values. (this fits perfectly with what we have seen when trying to read the unlock.bin files using HEX editors)
The token must contain all certificates required to validate the signature chain of the token.
The action authorization agent must verify that the nonce is exactly in the prescribed format. (LG website when requesting IMEI and Device ID)
The action authorization agent must verify that the action ID in nonce is a recognized value. (Valid IMEI and Device ID)
If possible, the action authorization agent should verify that the serial number of the G4 is valid. (So custom Device-ID's and IMEI's will not save us)
So what LG is doing here is a a OEM action authorization protocol, basically it is a simple challenge response where the device's Fastboot generates a nonce in this case they just use the Device ID and IMEI, then the OEM action authorization agent signs the nonce and approved action using its private override authorization key (OAK) to generate an authorization token, (this would be the developer.lge.com side of things and the private key is the one the developers in the thread need, but can't crack) and then the device's Fastboot validates the action authorization token (unlock.bin) and executes the action. (bootloader=unlocked)
Now we understand the policy, but even if we got the private key, when flashing a modified unlock.bin fastboot would need to validate that there is no extra data after parsing the token,verify that the signature's certificate chains to the OAK set at manufacturing, verify that all values in the token body have the prescribed values and verify that the value returned by the "oem get-action-nonce " command matches the value in the token body (IMEI and Device-ID)
So to my knowledge we have no chance to unlock the dam thing, that is unless we can find a backdoor to change the bootloader policy mask from state 0 to 1, then the signature enforcement chain described in the thread you linked too would be disabled, but I don't know how this could be done.
jjbredesen said:
...
Click to expand...
Click to collapse
Can you help me on manually verifying the chain?
I extracted all certs and all other parts which are possible. I can verify the certificate chain itself without problems (yes that one is easy) but I want to do the same steps the boot process takes to verify.. I want to use standard Linux commands or python code to do so if possible. Like verifying the digest it whatever is needed..
There is nothing I want to break here but the device needs to do these steps so it must be everything needed for this in the device itself.
I just want to do it manually. Could you guide me how?
.
Sent from my LG-H815 using XDA Labs
I am following the instructions from motorola-global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-a
I've downloaded Motorola drivers for Mac, as well as platform-tools. I am booting the phone to booloader but then a weird barcode shows up: imgur.com/a/8sT2lds
Any idea how to make progress from there? By the way my phone model is XT2029-2
Nycticorax said:
I am following the instructions from motorola-global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-a
I've downloaded Motorola drivers for Mac, as well as platform-tools. I am booting the phone to booloader but then a weird barcode shows up: imgur.com/a/8sT2lds
Any idea how to make progress from there? By the way my phone model is XT2029-2
Click to expand...
Click to collapse
Would like to know it too. Passed some days searching the web for a answer, and got none. The only thing I get when scanning the barcode is a number that AFAIK doesn't match any serial nor anything at all in the phone; just a number from what I can tell. Using fastboot oem get_unlock_data doens't work at all too, I just get a "command unknown" error returned from fastboot. Tried different drivers, none seemed to work, and the only ones that did, gave me the barcode and the fastboot error when trying to unlock. A very weird error, this one; fastboot devices work just fine, fastboot getvar all too, so it really doesn't seem like a fastboot or driver issue. My last try was this article (https://www.xda-developers.com/how-to-discover-hidden-fastboot-commands/) to see if I could get a list of the phones OEM commands and figure out how to unlock it. Tried to extract the bootloader from the firmware I downloaded online, using a tool I found on the forum, but no success until now. Will try to root the phone and extract it as it is shown in the tutorial to see if I can get more lucky. I saw somewhere that there's an app called sunshine that was used to unlock some older models, maybe you wanna try that too. I won't, because it's paid and I don't have the money to pay for it . Anyway, I'll try the bootloader extracting and see how that works, and depending on the output, maybe I'll post a tutorial here.
Def4lt_ said:
Would like to know it too. Passed some days searching the web for a answer, and got none. The only thing I get when scanning the barcode is a number that AFAIK doesn't match any serial nor anything at all in the phone; just a number from what I can tell. Using fastboot oem get_unlock_data doens't work at all too, I just get a "command unknown" error returned from fastboot. Tried different drivers, none seemed to work, and the only ones that did, gave me the barcode and the fastboot error when trying to unlock. A very weird error, this one; fastboot devices work just fine, fastboot getvar all too, so it really doesn't seem like a fastboot or driver issue. My last try was this article (https://www.xda-developers.com/how-to-discover-hidden-fastboot-commands/) to see if I could get a list of the phones OEM commands and figure out how to unlock it. Tried to extract the bootloader from the firmware I downloaded online, using a tool I found on the forum, but no success until now. Will try to root the phone and extract it as it is shown in the tutorial to see if I can get more lucky. I saw somewhere that there's an app called sunshine that was used to unlock some older models, maybe you wanna try that too. I won't, because it's paid and I don't have the money to pay for it . Anyway, I'll try the bootloader extracting and see how that works, and depending on the output, maybe I'll post a tutorial here.
Click to expand...
Click to collapse
Ok so after analysis the barcode just the IMEI associated with my SIM card's slot. (This phone has two SIM card slots.) Nothing interesting about it, I think.
Also it seems that Motorola does not support unlocking this bootloader as it does for other phones; in fact "motorola-global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-a" is just a hub for any phone listed at "support.motorola.com/us/en/solution/MS87215", and this one is not on the list. I am not aware of any way to unlock the bootloader in these circumstances.
Please let me / us know if you are more successful than me. For now I will consider this phone not rootable via this method.
PS: The furthest I've been: `fastboot oem get_unlock_data` returns a blank line as if the mobile was working. No error message or anything.
PPS: What do you mean by "extracting the bootloader"? What rooting method is extracting the bootloader part of?
The official list of devices that can be unlocked has never been complete.
Usually all moto models can be unlocked, except Carrier branded devices or those on Amazon software channel.
Those getting the barcode screen, is that from
Pressing the volume down button and power on, or
adb reboot bootloader
?
Sent from my ali using XDA Labs
Nycticorax said:
Ok so after analysis the barcode just the IMEI associated with my SIM card's slot. (This phone has two SIM card slots.) Nothing interesting about it, I think.
Also it seems that Motorola does not support unlocking this bootloader as it does for other phones; in fact "motorola-global-portal.custhelp.com/app/standalone/bootloader/unlock-your-device-a" is just a hub for any phone listed at "support.motorola.com/us/en/solution/MS87215", and this one is not on the list. I am not aware of any way to unlock the bootloader in these circumstances.
Please let me / us know if you are more successful than me. For now I will consider this phone not rootable via this method.
PS: The furthest I've been: `fastboot oem get_unlock_data` returns a blank line as if the mobile was working. No error message or anything.
PPS: What do you mean by "extracting the bootloader"? What rooting method is extracting the bootloader part of?
Click to expand...
Click to collapse
That's weird. My barcode number doesn't seem to match any numbers at all, serial, IMEI, nothing. I'll double check it to see if I have missed something. Never got this blank line, would be happy if you shared how you achieved it, maybe there could be some insight I can get from the process. Answering the question about the bootloader, the extraction isn't a part of a rooting method, it's only something I'm trying in order to get the list of oem fastboot commands of the phone. Those are manufacturer-specific, aren't listed anywhere, and differ from model to model. The method I'm using is the one from the article I pointed in my previous answer. Anyway, if it takes me anywhere, I'll bring an update about it with details.
---------- Post added at 23:36 ---------- Previous post was at 23:04 ----------
sd_shadow said:
The official list of devices that can be unlocked has never been complete.
Usually all moto models can be unlocked, except Carrier branded devices or those on Amazon software channel.
Those getting the barcode screen, is that from
Pressing the volume down button and power on, or
adb reboot bootloader
?
Sent from my ali using XDA Labs
Click to expand...
Click to collapse
The barcode is from entering the bootloader. Any method that gets you there shows it. At first I thought it was a driver-related bug, but after some experimentation it seems like whenever the device is recognized by fastboot, it shows this barcode; So it appears to be a bootloader-related thing (I never saw nothing like it, so just guessing for now). Also tried the method from the Motorola website, and I really wish it had worked as expected, but what it seems to me is that MediaTek devices are a pain in the ass in general for this kind of thing. The device doesn't recognizes the oem commands sent through fastboot as valid (And yes, OEM Unlocking is properly enabled under Developer Settings). Here's a screenshot from a powershell session showing the results of trying the commands. Notice how the device is correctly recognized by both adb and fastboot, only the unlocking commands doesn't work: https://pasteboard.co/JnW4cvK.png
sd_shadow said:
The official list of devices that can be unlocked has never been complete.
Usually all moto models can be unlocked, except Carrier branded devices or those on Amazon software channel.
Those getting the barcode screen, is that from
Pressing the volume down button and power on, or
adb reboot bootloader
?
Sent from my ali using XDA Labs
Click to expand...
Click to collapse
In my case the barcode shows up whenever I reach fastboot, whether via booting with [vol up + power] and then selecting fastboot, or via adb reboot bootloader. I've tried several barcode recognition apps and 2 out of 3 confirm it's my IMEI.
Nycticorax said:
In my case the barcode shows up whenever I reach fastboot, whether via booting with [vol up + power] and then selecting fastboot, or via adb reboot bootloader. I've tried several barcode recognition apps and 2 out of 3 confirm it's my IMEI.
Click to expand...
Click to collapse
Did you try
Code:
fastboot flashing unlock_critical
according to this thread... it is for e6 plus. May be it works with e6 play.
https://old.reddit.com/r/androidroot/comments/f6c5k5/unlock_bootloader_moto_e6_plus/fupyalw/
No,
Code:
fastboot flashing unlock critical
does not work. And no, we shouldn't assume that a method meant for the e6 plus works for the e6 play.
Phone in red state not able to change settings
I have struggled with the same problems as above. I am not able to get into the developer mode as I only have access to the recovery screen. Anybody who knows how to do that from the recovery screen - perhaps using terminal?
I have been able to enter into the phone by adb sideload filename.zip and the phone acknowledged connection, but the upload failed, probably due to I am not able to unlock the phone from the red state/Android Recovery. It is running bali-reteu/bali9/POAS29.550-81-1/
glensbo said:
I have struggled with the same problems as above. I am not able to get into the developer mode as I only have access to the recovery screen. Anybody who knows how to do that from the recovery screen - perhaps using terminal?
I have been able to enter into the phone by adb sideload filename.zip and the phone acknowledged connection, but the upload failed, probably due to I am not able to unlock the phone from the red state/Android Recovery. It is running bali-reteu/bali9/POAS29.550-81-1/
Click to expand...
Click to collapse
It is not clear to me what you did exactly. The step where we -- the others participants to this post and I -- are stuck is [2] here below:
boot to fastboot by running `adb reboot bootloader` from a command line on a connected and turned on device
get the OEM unlock code by doing `fastboot oem get_unlock_data` from a connected device under the fastboot interface
exchange the unlock code on the motorola support site and input that code to confirm bootloader unlock
glensbo said:
I have struggled with the same problems as above. I am not able to get into the developer mode as I only have access to the recovery screen. Anybody who knows how to do that from the recovery screen - perhaps using terminal?
I have been able to enter into the phone by adb sideload filename.zip and the phone acknowledged connection, but the upload failed, probably due to I am not able to unlock the phone from the red state/Android Recovery. It is running bali-reteu/bali9/POAS29.550-81-1/
Click to expand...
Click to collapse
Got a little further as the code:
#fastboot flash unlock_critical Filename.zip#
the phone replied - Transferring and Transmission OK .... time etc
But I got an error sadly to say:
Failed (remote: not allowed in locked state) so I'm back to basics as I cannot open the state from the recovery mode (as of yet)
glensbo said:
Got a little further as the code:
#fastboot flash unlock_critical Filename.zip#
the phone replied - Transferring and Transmission OK .... time etc
But I got an error sadly to say:
Failed (remote: not allowed in locked state) so I'm back to basics as I cannot open the state from the recovery mode (as of yet)
Click to expand...
Click to collapse
Okay, I would like to be positive and call that a progress but the whole point of steps (2-3) is to have it unlocked so that you can proceed to root to flashing it the way you're trying to.
So I am pretty pessimistic on that one. To me it looks like a case of a cheap phone a company has no real urge to make easy to unlock.
Nycticorax said:
It is not clear to me what you did exactly. The step where we -- the others participants to this post and I -- are stuck is [2] here below:
boot to fastboot by running `adb reboot bootloader` from a command line on a connected and turned on device
get the OEM unlock code by doing `fastboot oem get_unlock_data` from a connected device under the fastboot interface
exchange the unlock code on the motorola support site and input that code to confirm bootloader unlock
Click to expand...
Click to collapse
Sorry got carried away finding a group dealing with the same problem as I have. And not skimming but reading the text I can confirm that I am stuck at the same place. Sorry for the interruption. I will revert if/when I have something new.
glensbo said:
Sorry got carried away finding a group dealing with the same problem as I have. And not skimming but reading the text I can confirm that I am stuck at the same place. Sorry for the interruption. I will revert if/when I have something new.
Click to expand...
Click to collapse
It's okay. I hope one of us can find something useful. Let Root, the God of Hacks, send His best love waves to you guys
wow No Help
Biniesuschristos said:
wow No Help
Click to expand...
Click to collapse
Just curious do you know what software Channel your phone is on?
The software Channel might be listed in
Settings/ about phone.
Or try
Code:
fastboot getvar all
While in fastboot mode
ro.carrier = Software Channel
Sent from my ocean using XDA Labs
You didn't ask me but perhaps it might help you help us:
Code:
reteu
for me.
I'm don't actually know anything regarding rooting mobile devices but i'm going to post some of my experience thinking it might help someone who actually knows what to do.
I've been having the same issue while trying to unlock the bootloader.
As it seems all of the fastboot commands are working fine except the OEM ones which is strange considering that i'm sure i toggled the OEM Unlock on the dev. options, just like some members commented already.
Regarding the barcode it shows as soon as i connect the device via USB in Fastboot mode, and it shows up when i use "adb reboot bootloader" too, but it wasn't showing before i updated the USB Drives so i could find the device via "fasboot devices" (the phone wasn't showing before i did it).
pontiacus said:
I'm don't actually know anything regarding rooting mobile devices but i'm going to post some of my experience thinking it might help someone who actually knows what to do.
I've been having the same issue while trying to unlock the bootloader.
As it seems all of the fastboot commands are working fine except the OEM ones which is strange considering that i'm sure i toggled the OEM Unlock on the dev. options, just like some members commented already.
Regarding the barcode it shows as soon as i connect the device via USB in Fastboot mode, and it shows up when i use "adb reboot bootloader" too, but it wasn't showing before i updated the USB Drives so i could find the device via "fasboot devices" (the phone wasn't showing before i did it).
Click to expand...
Click to collapse
Windows 10?
Sent from my ocean using XDA Labs
@sd_shadow: Do you think it looks like a bootloader you could unlock?